From 0a23a4159f9a17e52fe5e38fdc9336b800cc80e6 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Sat, 5 May 2012 07:18:55 -0700
Subject: [PATCH] Check that double variables have the correct representation
 when changing types at switch targets, bug 751320. r=dvander

---
 js/src/jit-test/tests/jaeger/bug751320.js | 22 ++++++++++++++++++++++
 js/src/methodjit/Compiler.cpp             | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 js/src/jit-test/tests/jaeger/bug751320.js

diff --git a/js/src/jit-test/tests/jaeger/bug751320.js b/js/src/jit-test/tests/jaeger/bug751320.js
new file mode 100644
index 00000000000..2013150aa77
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug751320.js
@@ -0,0 +1,22 @@
+datediff = function(date1, date2, interval) {
+  var delta = 1;
+  switch(interval) {
+  case "day":
+    delta /= 24;
+  case "hour":
+    delta /= 60;
+  case "minute":
+    delta /= 60;
+  case "second":
+    delta /= 1000;
+  case "millisecond":
+    delta *= date2.getTime() - date1.getTime();
+  }
+  return Math.round(delta);
+};
+
+var diff = datediff(new Date("2012-04-28T14:30:00Z"), new Date("2012-04-29T14:30:00Z"), "day"); 
+for (var i = 0; i < 50; i++) {
+  diff = datediff(new Date("2012-04-28T17:00:00Z"), new Date("2012-04-28T17:30:00Z"), "minute"); 
+  assertEq(diff, 30);
+}
diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index 61bcc222039..c72fb250a16 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -2067,6 +2067,28 @@ mjit::Compiler::generateMethod()
         frame.assertValidRegisterState();
         a->jumpMap[uint32_t(PC - script->code)] = masm.label();
 
+        if (cx->typeInferenceEnabled() && opinfo->safePoint) {
+            /*
+             * We may have come in from a table switch, which does not watch
+             * for the new types introduced for variables at each dispatch
+             * target. Make sure that new SSA values at this safe point with
+             * double type have the correct in memory representation.
+             */
+            const SlotValue *newv = analysis->newValues(PC);
+            if (newv) {
+                while (newv->slot) {
+                    if (newv->value.kind() == SSAValue::PHI &&
+                        newv->value.phiOffset() == uint32_t(PC - script->code) &&
+                        analysis->trackSlot(newv->slot) &&
+                        a->varTypes[newv->slot].getTypeTag(cx) == JSVAL_TYPE_DOUBLE) {
+                        FrameEntry *fe = frame.getSlotEntry(newv->slot);
+                        masm.ensureInMemoryDouble(frame.addressOf(fe));
+                    }
+                    newv++;
+                }
+            }
+        }
+
         // Now that we have the PC's register allocation, make sure it gets
         // explicitly updated if this is the loop entry and new loop registers
         // are allocated later on.